Update Management Process

Updated : June 1, 2007

On This Page

In This Module
Objectives
Applies To
How To Use This Module
Update Management Overview
Security Terminology
How Microsoft Fixes Software After Release
The Importance of Proactive Update Management
Requirements for Successful Update Management
Effective Operations
Tools and Technologies
Effective Project Management Processes
The Four-Phase Approach to Update Management
Related Resources
Give Us Your Feedback

In This Module

This module provides an introduction to update management and explains why update management is essential for enterprise systems. It will introduce security terminology, together with descriptions of common vulnerabilities and types of threat. This module also describes the processes used within Microsoft to develop and release software updates, and shows how these relate to the steps you should take for proactive security update management. Finally, the four-phase approach update management process that Microsoft recommends is introduced, with more details presented in the following modules.

The purpose of this module is to introduce the key issues for update management in a Microsoft Windows operating system—based environment, and to describe the main tools, technologies, and processes that Microsoft recommends to support this task.

Objectives

Use this module to:

  • Review secure IT management and the costs of weak security.

  • Understand the term "update management" and key security terminology.

  • Analyze key vulnerabilities and how these relate to Microsoft severity ratings, threat categories, and the types of threat agents that currently exist.

  • Look at how Microsoft fixes software after release, and at the Microsoft terminology for software updates.

  • See examples of the importance of proactive security update management.

  • Determine the most appropriate update management tools and technologies for your environment.

  • Describe the basic elements of the four-phase approach to update management.

Applies To

This module applies to all Microsoft products and technologies.

How To Use This Module

This module provides an introduction to security update management, covering the key terms and concepts, tools and technologies, and an overview of the recommended four-phase update management process. Examples of historical attacks are provided, together with the ways in which these attacks could have been avoided, had appropriate proactive security update management been carried out.

To gain the most from this module, you should:

Update Management Overview

Update management is the process of controlling the deployment and maintenance of interim software releases into production environments. It helps you to maintain operational efficiency and effectiveness, overcome security vulnerabilities, and maintain the stability of your production environment.

If your organization cannot determine and maintain a known level of trust within its operating systems and application software, it might have a number of security vulnerabilities, which, if exploited, could lead to a loss of revenue and intellectual property. Minimizing this threat requires you to have properly configured systems, to use the latest software, and to install the recommended software updates.

You should consider the following areas when determining the potential financial impact of poor update management:

  • Downtime:

    What is the cost of computer downtime in your environment? What if critical business systems are interrupted? Determine the opportunity cost of lost end-user productivity, missing transactions on critical systems, and lost business during an incident. Downtime is caused by most attacks, either by the attack itself or by the corresponding remediation required when recovering. Some attacks have left computers down for several days.

  • Remediation time:

    What is the cost of fixing a wide-ranging problem in your environment? How much does it cost to reinstall a computer? What if you had to reinstall all your computers? Many security attacks require a complete reinstallation to be certain that back doors (permitting future exploits) were not left by the attack.

  • Questionable data integrity:

    In the event that an attack damages data integrity, what is the cost of recovering that data from the last known good backup, or confirming data correctness with customers and partners?

  • Lost credibility:

    What does it cost if you lose credibility with your customers? How much does it cost if you lose one or more customers?

  • Negative public relations:

    What is the impact to your organization from negative public relations? How much could your stock price or company valuation fall if you are seen as an unreliable company with which to do business? What would be the impact of failing to protect your customer's personal information, such as credit card numbers?

  • Legal defenses:

    What might it cost to defend your organization from others taking legal action after an attack? Organizations providing important services to others have had their update management process (or lack of one) put on trial.

  • Stolen intellectual property:

    What is the cost if any of your organization's intellectual property is stolen or destroyed?

Assessing and maintaining the integrity of software in a networked environment through a well-defined update management program is the key first step toward successful information security, regardless of any restrictions to physical access to a computer.

Security Terminology

This section introduces key terminology that you should understand when participating in the security update management process. Table 1 describes the key security terms that are used throughout these modules.

Table 1: Important Security Terms

Term

Definition

Vulnerability

Software, hardware, a procedural weakness, a feature, or a configuration that could be a weak point exploited during an attack. Also called an exposure.

Threat

A source of danger.

Threat agent

The person or process attacking a system through vulnerability in a way that violates your security policy.

Attack

A threat agent attempting to take advantage of vulnerabilities for unwelcome purposes.

Countermeasure

Software configurations, hardware, or procedures that reduce risk in a computer environment. Also called a safeguard or mitigation.

Vulnerabilities

There are various ways through which software can become vulnerable to attack. Table 2 lists several typical software vulnerabilities.

Table 2: Software Vulnerabilities

Term

Definition

Buffer overrun (overflow)

An unchecked buffer in a program that can overwrite the program code with new data. If the program code is overwritten with new executable code, the effect is to change the program's operation as dictated by the attacker.

Privilege elevation (escalation)

Allows users or attackers to attain higher privileges in certain circumstances.

Validation error (source code)

Allows malformed data to have unintended consequences.

MSRC Vulnerability Severity Ratings

The Microsoft Security Response Center (MSRC) uses severity ratings to help you determine the urgency of vulnerabilities and related software updates. Table 3 lists the ratings used by MSRC to categorize the severity of a vulnerability.

Table 3: Vulnerability Severity Ratings

Rating

Definition

Critical

A vulnerability whose exploitation could allow the propagation of an Internet worm without user action.

Important

A vulnerability whose exploitation could result in compromise of the confidentiality, integrity, or availability of users' data, or of the integrity or availability of processing resources.

Moderate

Exploitability is mitigated to a significant degree by factors such as default configuration, auditing, or difficulty of exploitation.

Low

A vulnerability whose exploitation is extremely difficult, or whose impact is minimal.

For more information about MSRC vulnerability severity ratings, see the Microsoft Security Response Center Security Bulletin Severity Rating System: https://www.microsoft.com/technet/security/bulletin/rating.mspx.

Threat Categories

Microsoft has developed the STRIDE model, summarized in Table 4, to categorize software threats. These categories are often used in Microsoft security bulletins to describe the nature of a security vulnerability.

Table 4: STRIDE Model of Threat Categories

Term

Definition

Spoofing identity

Illegally obtaining access and use of another person's authentication information, such as a user name or password.

Tampering with data

The malicious modification of data.

Repudiation

Associated with users who deny performing an action, yet there is no way to prove otherwise.(Non-repudiation refers to the ability of a system to counter repudiation threats, and includes techniques such as signing for a received parcel so that the signed receipt can be used as evidence.)

Information disclosure

The exposure of information to individuals who are not supposed to have access to it, such as accessing files without having the appropriate rights.

Denial of service

An explicit attempt to prevent legitimate users from using a service or system.

Elevation (Escalation) of privilege

Where an unprivileged user gains privileged access. An example of privilege elevation would be an unprivileged user who contrives a way to be added to the Administrators group.

Note: For more information about the STRIDE model and how Microsoft trains developers to write secure code, see Howard, Michael and David LeBlanc, Writing Secure Code, Second Edition, Redmond, WA: Microsoft Press, 2002. (https://www.microsoft.com/mspress/books/5957.asp).

You can also find the additional information, as well as useful readings from an alliance web site:

https://www.cl.cam.ac.uk/~rja14/tcpa-faq.html

Threat Agents

Malicious threats are attacks from inside or outside a network that have the intent to harm or disrupt an organization. Non-malicious threats usually come from untrained employees, who are unaware of security threats and vulnerabilities. Table 5 describes several malicious threat agents.

Table 5: Threat Agents

Term

Definition

Virus

An intrusive program that infects computer files by inserting copies of self-replicating code, and deletes critical files, makes system modifications, or performs some other action to cause harm to data on the computer or to the computer itself. A virus attaches itself to a host program.

Worm

A self-replicating program, often malicious like a virus, that can spread from computer to computer without infecting files first.

Trojan horse

Software or e-mail that professes to be useful and benign, but which actually performs some destructive purpose or provides access to an attacker.

Mail bomb

A malicious e-mail sent to an unsuspecting recipient. When the recipient opens the e-mail or runs the program, the mail bomb performs some malicious action on their computer.

Attacker

A person or organization carrying out an attack.

Adware

Any software application or program in which advertising banners are displayed or Pop-up windows appear while the program is running. Adware is considered "Spyware" and is installed without the user's knowledge.

Spyware

Any software that covertly gathers user information through the user's Internet connection without his or her knowledge, usually for advertising purposes. Spyware applications are typically bundled as a hidden component of freeware or shareware programs that can be downloaded from the Internet; however, it should be noted that the majority of shareware and freeware applications do not come with Spyware. Once installed, the Spyware monitors user activity on the Internet and transmits that information in the background to someone else. Spyware can also gather information about e-mail addresses and even passwords and credit card numbers. Spyware is similar to a Trojan horse in that users unwittingly install the product when they install something else. A common way to become a victim of Spyware is to download certain peer-to-peer file swapping products that are available today.

Note: While automated threats such as viruses are written to take advantage of specific vulnerabilities, an attacker who is targeting your organization has no such limitations. An attacker will try to compromise an environment by any means available.

Directed attacks can be carried out locally or remotely, and can include an exhaustive search for one of many possible vulnerabilities, including software vulnerabilities, weak passwords, weak security configurations, and security policy or training vulnerabilities.

How Microsoft Fixes Software After Release

Microsoft is committed to protecting customers from security vulnerabilities. As part of this effort, Microsoft makes available periodic releases of software updates. For more information on this effort, see the "Trustworthy Computing" white paper, located at https://www.microsoft.com/mscorp/twc/twc_whitepaper.mspx.

Every Microsoft product group includes a sustaining engineering team, which develops software updates for problems that are discovered after the product has been released.

When Microsoft is made aware of a security vulnerability, the issue is evaluated and verified by the MSRC and the appropriate product groups. The product group's sustaining engineering team then creates and tests a security update to remedy the issue, while the MSRC works with the reporter of the vulnerability to coordinate the release of public information in the form of a security bulletin that has the security update details.

Microsoft then distributes the software update through the Microsoft Download Center and other services, including:

Automatic Updates:

  • Microsoft Windows Update

  • Microsoft Office Update

  • Microsoft Update

User Initiated (defined) Updates

  • Microsoft Systems Management Server (SMS) 2003

  • Microsoft Windows Server Update Service (WSUS)

Just as the software update is about to be released, the MSRC sends out a related security bulletin.

Note: Security updates are developed for multiple versions of the operating system and applications. To understand the support levels that you can expect for different software versions, you can review the Microsoft product support life cycle policies at:

https://support.microsoft.com/default.aspx?scid=fh;[LN];lifecycle.

Typically, security updates are made available for supported products not only on the current service pack, but also the one previous. However, this is not always the case, so you should check the product support life cycle policies for your products to be sure.

Microsoft recommends that customers use the update management solution that best meets their needs. In general, WSUS addresses simple update management scenarios, while Systems Management Server (SMS) 2003 supports advanced update management needs. Table 6 shows typical customer choices for various organizational size segments:

Table 6: Organizational Size Segments

Customer Type

Scenario

Customer Choice

Large or Medium Enterprise

The organization wants a single, flexible update management solution with an extended level of control that enables them to update (and distribute) all Windows operating systems and applications and also includes an integrated asset management solution.

SMS 2003

Large or Medium Enterprise

The organization wants a solution for update management only that provides simple updating for Microsoft software—initially supporting Windows 2000 and later supporting Office 2003, Office XP, Exchange Server 2000 and later, SQL Server 2000 and later.

WSUS1

Small Business

The business has at least one Windows server and one IT administrator.

WSUS1

Small Business

All other scenarios

Microsoft Update or Windows Update2

Consumer

All other scenarios

Microsoft Update or Windows Update2

1Customers can use another update tool, or a manual update process, for operating system versions and applications not supported by WSUS or Microsoft Update.

2Microsoft Update is the new Web-hosted update service that will deliver updates for additional Microsoft software. Microsoft Update will be available in conjunction with the release of WSUS. Windows Update will continue to be available.

Software Update Terminology

Table 7 lists the current Microsoft standard terms for software updates, which became effective from June 30, 2003. Note that the term patch is no longer used by Microsoft to describe a software update, except as part of the term security patch or when describing the process of update management (which is well understood terminology in the software industry).

Table 7: Microsoft Terminology for Software Updates

Term

Definition

Security patch

A broadly released fix for a specific product, addressing a security vulnerability. A security patch is often described as having a severity, which actually refers to the MSRC severity rating of the vulnerability that the security patch addresses.

Critical update

A broadly released fix for a specific problem, addressing a critical, non-security related bug.

Update

A broadly released fix for a specific problem, addressing a non-critical, non-security related bug.

Hotfix

A single package composed of one or more files used to address a problem in a product. Hotfixes address a specific customer situation, are only available through a support relationship with Microsoft, and may not be distributed outside the customer organization without written legal consent from Microsoft. The terms QFE (Quick Fix Engineering update), patch, and update have been used in the past as synonyms for hotfix.

Update rollup

A collection of security patches, critical updates, updates, and hotfixes, which are released as a cumulative offering or targeted at a single product component, such as Microsoft Internet Information Services (IIS) or Microsoft Internet Explorer. Allows for easier deployment of multiple software updates.

Service pack

A cumulative set of hotfixes, security patches, critical updates, and updates since the release of the product, including many resolved problems that have not been made available through any other software updates. Service packs may also contain a limited number of customer-requested design changes or features. Service packs are broadly distributed and tested by Microsoft more than any other software updates.

Integrated service pack

The combination of a product with a service pack in one package.

Feature pack

A new feature release for a product that adds functionality. Usually rolled into the product at the next release.

Note: Because these definitions are new, several existing resources and tools do not use the terms as they are defined in the table above.

The Importance of Proactive Update Management

There have been several widely-publicized attacks and vulnerabilities related to Microsoft software. Many organizations with proactive update management in place were not affected by these attacks, because they acted on information that Microsoft made available in advance of the attack.

In Table 8, several historical attacks are identified, along with the date of the attack. In each case, an MSRC bulletin had previously been released that identified the vulnerability and described how to prevent future exploits of it (through software updates and other countermeasures). The last column in the table, Days Available Before Attack, lists the number of days that organizations had to implement the MSRC recommendations and avoid the future attack.

Table 8: Historical Attack Examples and Related MSRC Bulletins

Attack Name

Date Publicly Discovered

MSRC Severity

MSRC Bulletin

MSRC Bulletin Date

Days Available Before Attack

Zotob

August 14, 2005

Critical

MS05-039

August 9, 2005

5

Trojan.Kaht

May 5, 2003

Critical

MS03-007

Mar 17, 2003

49

SQL Slammer

Jan 24,2003

Critical

MS02-039

Jul 24, 2002

184

Sasser

May 1, 2004

*

MS04-011

May 15, 2004

14

Blaster

Aug 12, 2003

*

MS03-026

Aug 27, 2003

25

Klez-E

Jan 17, 2002

*

MS01-020

Mar 29, 2001

294

Nimda

Sept18, 2001

*

MS00-078

Oct 17, 2000

336

Code Red

Jul 16, 2001

*

MS01-033

Jun 18, 2001

28

*Bulletins released before MSRC severities in place.

These modules are designed to help you prevent future attacks like these, specifically focusing on the Days Available Before Attack column in the table.

Note: Proactive update management is an effective way to limit attacks that target known software vulnerabilities. The preceding table does not capture directed, intentional attacks performed by people inside or outside the target organization, who searched for and exploited security vulnerabilities with criminal intent.

To provide a better understanding of the relationship between MSRC bulletins and the opportunities they give to organizations that want a secure environment, the following sections briefly describe two historical attacks:

  • Code Red

  • SQL Slammer worms

Avoiding Attacks, Example 1: Code Red

Code Red is a worm that spread very quickly and had the potential for great impact. On July 16, 2001, the original Code Red worm spread to 250,000 computers in only nine hours. The various effects of the worm included slower Internet speeds, Web page outages and defacements, and disruption of business and personal applications, such as e-mail and ecommerce.

Code Red exploited a buffer overrun vulnerability within IIS to execute code on Web servers. IIS is installed by default with Microsoft Windows Server 2000 and is used by many applications.

Some organizations avoided Code Red by following the directions of MS01-033, an MSRC security bulletin released on June 18, 2001, 28 days before Code Red was released.

For more information on this security bulletin, including technical aspects and countermeasures, see:

https://www.microsoft.com/technet/security/bulletin/ms01-033.mspx.

Avoiding Attacks, Example 2: SQL Slammer

SQL Slammer (or Sapphire) is a worm that targets Microsoft SQL Server 2000 and Microsoft Data Engine (MSDE) 2000 systems, resulting in a high volume of network traffic on both the Internet and private internal networks, acting (some might say unintentionally) as an effective denial of service attack.

At approximately 9:30 P.M. Pacific Time on Friday, January 24, 2003, SQL Slammer caused a dramatic increase in network traffic worldwide. An analysis of the SQL Slammer worm shows:

  • The worm required roughly 10 minutes to spread worldwide, making it by far the fastest worm to date.

  • In the early stages, the number of compromised hosts doubled in size every 8.5 seconds.

  • At its peak, (achieved approximately three minutes after the worm was released), it scanned the net at over 55 million Internet Protocol (IP) addresses per second.

  • It infected at least 75,000 servers and probably considerably more.

SQL Slammer exploited a buffer overrun vulnerability, which was first identified by Microsoft in security bulletin MS02-039 (July 2002), 184 days before the attack, and was identified again in security bulletin MS02-061. With each bulletin, a security patch was offered as well as appropriate countermeasures.

For more information on this security bulletin, including technical aspects and countermeasures, see:

https://www.microsoft.com/technet/security/bulletin/ms02-039.mspx.

Lessons Learned from SQL Slammer

One of the challenges organizations faced in avoiding SQL Slammer was the ubiquitous nature of MSDE and even SQL Server, because they are installed and used by many other products.

The SQL Slammer attack highlighted three important lessons on the nature of security vulnerabilities:

  • Having an accurate sense of all the computers, products, and technologies that are present in your environment is an important prerequisite for successful update management.

  • An effective attack does not require vulnerabilities on high-value assets. SQL Slammer effectively interrupted mission-critical operations through low-value, vulnerable computers on the same network.

  • Deploying a security patch once may not be sufficient to eliminate a vulnerability. Regular scanning to identify the recurrence of vulnerabilities, coupled with incident management to address them, is equally important.

Requirements for Successful Update Management

Because update management is designed to give an organization control over the software updates it deploys, any organization planning to update its operational environment should ensure that it has:

  • Effective operations, including people who understand their roles and responsibilities.

  • Tools and technologies that are most appropriate for effective update management.

  • Effective project management processes.

Effective Operations

MOF, the MOF Process Model, the MOF Service Management Functions (SMFs), and the MOF Team Model provide guidance for effective IT operations. Three of the SMFs—Change Management, Configuration Management, and Release Management—are especially crucial to update management.

Tools and Technologies

This section will examine the automated tools that organizations of all sizes can use to manage and control software update installation. There are three principal Microsoft technologies available for enterprise update management of Windows-based systems.

  • Windows Server Update Services

  • Systems Management Server 2003

Windows Server Update Services (WSUS)

WSUS is a free tool that allows you to install a service to download all critical updates, security updates, and service packs as they are posted to the Microsoft Update Web site at https://update.microsoft.com.

When you have approved these updates, WSUS will automatically make them available to all preconfigured servers running Microsoft Windows Server 2003 and Windows 2000, as well as to desktops running Windows XP Professional and Windows Vista.

The priority of security updates is established by the Microsoft Security Response Center (MSRC). For an overview of MSRC and the set of rules used in the decision-making process, see https://www.microsoft.com/security/msrc/default.mspx.

WSUS provides the following:

  • More updates for Microsoft products, in more categories

  • Ability to automatically download updates from Microsoft Update by product and type.

  • More language support for customers worldwide.

  • Maximized bandwidth efficiency through Background Intelligent Transfer Service (BITS) 2.0. (BITS 2.0 is not installed by Update Services and is available on Microsoft Update.)

  • Ability to target updates to specific computers and computer groups.

  • Ability to verify that updates are suitable for each computer before installation - a feature that runs automatically for critical and security updates.

  • Flexible deployment options.

  • Reporting capabilities.

  • Flexible database options.

  • Data migration and import/export capabilities.

  • Extensibility through the application programming interface (API).

WSUS’s features can be divided into two components - Server-side and client-side. The following chart depicts features on each side of WSUS:

Server-Side Features

Client-Side Features

Updates for Windows, Office, Exchange Server, and SQL Server, with additional product support over time

Powerful and extensible management of the Automatic Updates service

Specific updates can be set to download automatically

Self-updating for client computers

Automated actions for updates determined by administrator approval

Automatic detection of applicable updates

Ability to determine the applicability of updates before installing them

 

Targeting

 

Replica synchronization

 

Reporting

 

Extensibility

 

WSUS enables information technology administrators to deploy the latest Microsoft product updates to Microsoft Windows Server 2003 and Windows 2000, as well as to desktops running Windows XP Professional and Windows Vista. By using WSUS, you can fully manage the distribution of updates that are released through Microsoft Update to computers in your network.

The WSUS server component is installed on a computer running a Windows 2000 Server with Service Pack 4 (SP4) or Windows Server 2003 operating system inside the enterprise’s firewall. The WSUS server provides the features that administrators need to manage and distribute updates through a Web-based tool for WSUS, which can be accessed from Internet Explorer on any Windows computer in the corporate network or via MMC for WSUS 3.0 which can be accessed from the MMC Snapin on any Windows Computer in the corporate network. Note WSUS 3.0 requires MMC 3.0. In addition, a Windows Server Update Services server can be the update source for other Windows Server Update Services servers.

The WSUS client computer component runs on Windows Vista, Windows XP, Windows 2000 with SP3, and Windows Server 2003 operating systems. Automatic Updates enables both server and client computers to receive updates from Microsoft Update or from a server running WSUS.

WSUS does not provide scanning and auditing functionality, so a WSUS-based update management solution also requires the use of the Microsoft Baseline Security Analyzer 2.0 tool.

Note: This page includes a summary of the WSUS product overview. You can also read the full product overview for WSUS 3.0 here.

Summary information on the use of WSUS and MBSA to support update management is given in the following modules:

For detailed information on using WSUS and MBSA to support update management, see Windows Server Update Services (WSUS) Technical Library.

Microsoft Baseline Security Analyzer (MBSA) 2.0.1

Microsoft Baseline Security Analyzer (MBSA) 2.0.1 is an easy-to-use tool that helps small and medium-sized businesses evaluate their security according to Microsoft security recommendations. This article discusses the availability of MBSA 2.0.1.

MBSA 2.0.1 detects products that are currently supported by Microsoft Update, the central catalog of updates for Microsoft products. Microsoft Update replaces Windows Update. Windows Update only updates Microsoft Windows operating system products. Microsoft Update hosts the detection logic for MBSA 2.0.1 and other tools.

MBSA 2.0.1 scans for missing security updates and reports on a computer's adherence to common security best practices (such as strong passwords), and identifies any configuration options that leave the computer open to potential security vulnerabilities. MBSA can also be configured to report on updates that have already been approved on a WSUS server, but have not yet been installed.

MBSA 2.0.1 performs scanning for identifying administrative vulnerabilities on Microsoft Windows Vista; Windows 2000; Windows XP; Windows Server 2003; Microsoft Internet Information Services (IIS) 5.0, 5.1, and 6.0; Microsoft Internet Explorer 5.01, 5.5, and 6.0 (including Internet Explorer 6.0 for Windows XP SP2 and Internet Explorer 6.0 for Windows Server 2003); Microsoft SQL Server 7.0 and SQL Server 2000; and Microsoft Office 2000, Office XP, and Office 2003. Note that MBSA 2.0.1 only supports remote scans for Windows Vista. The upcoming MBSA version 2.1 will support local scans of Windows Vista systems.

MBSA 2.0.1 includes many improvements and new features from the prior 1.2.1 version. We recommend that most customers use MBSA 2.0. To download MBSA, visit the MBSA home page at the following Microsoft Web site:
https://www.microsoft.com/technet/security/tools/mbsahome.mspx

MBSA 2.0.1 includes the following key features:

  • Severity ratings

  • Local and remote scans for Microsoft Office XP and later security updates

  • Additional guidance for locating updates and taking appropriate action

  • CVE-IDs for supported updates

  • Improved help content

  • Compatibility with Windows Server Update Services

  • Automatic Microsoft Update registration and agent update

  • Detection of updates on Windows XP Embedded and on 64-bit versions of Microsoft Windows

Although MBSA offers the capability to identify on a domain level/subnet level what is required to secure a particular computer, it does not provide any method for distributing the updates to those computers or configuring the computers. For this reason, MBSA should be used in combination with WSUS to provide a update management solution. MBSA does, however, provide information on how to remediate any vulnerabilities found, including links to Knowledge Base articles and white papers.

MBSA 2.0.1 provides a graphical interface for viewing reports generated for each computer, and can also be command-line scripted. MBSA copies an XML file stored on the Microsoft Download Center to ensure it uses a current list of assessment details for new security-related software updates.

More information on MBSA can be found at https://www.microsoft.com/mbsa.

Systems Management Server 2003

Microsoft Systems Management Server (SMS) 2003 is the preferred mechanism for deploying and managing the distribution of software updates to a large number of clients. It provides the following functionality, which is essential for successful deployment:

  • Inventory functions to determine how many computers have been deployed and to identify their locations and roles.

  • Inventory functions to identify which software applications and software updates have been installed and which need to be installed on the deployed computers.

  • Scheduling functions that allow an organization to deploy software updates outside regular working hours, or at a time that has the least impact on business operations.

  • Status reporting that allows administrators to monitor installation progress.

The SMS 2003 inventory scanning programs are key to the effective management of software updates. They are used to create an inventory of applicable and installed updates for each client computer, using an automated source of detection logic. The resulting data is included in the Systems Management Server inventory and a comprehensive view of the status is provided through the Web-based reporting capabilities. Typically, the inventory data will be limited to those items that are released by Microsoft as security bulletins.

SMS 2003 includes the following tools (also available in the SMS 2.0 Software Update Services Feature Pack):

  • Security Update Inventory Tool

  • Microsoft Office Inventory Tool for Updates

  • Distribute Software Updates Wizard

  • Inventory Tool for Microsoft Updates

Note: Beta 2 of the next release of SMS, entitled System Center Configuration Manager 2007, is now available for download at https://www.microsoft.com/technet/sms/2007/evaluate/download.mspx. With major investments in simplicity, configuration, deployment and security, Configuration Manager 2007 dramatically simplifies system deployment, task automation, compliance management, and policy based security management allowing for increased business agility.

Security Update Inventory Tool

The Security Update Inventory Tool builds on SMS inventory capabilities and takes advantage of the power of MBSA to scan each client for security updates. The resulting data is included in the SMS inventory, and a comprehensive status is provided through Web-based reports. This tool is not installed on SMS sites by default, but it is part of the SMS 2003 Software Update Scanning Tools, and can be downloaded from https://www.microsoft.com/smserver/downloads/2003/default.asp.

Microsoft Office Inventory Tool for Updates

The Microsoft Office Inventory Tool for Updates uses the existing Microsoft Office Inventory Tool to carry out automated, ongoing scans of SMS clients for installed or applicable Office updates. This tool is part of SMS 2003 SP1 Scan tools. This data is converted and included in the SMS inventory, and can also be viewed through Web-based reports. This tool is not installed on SMS sites by default, but it is part of the SMS 2003 Software Update Scanning Tools, and can be downloaded from https://www.microsoft.com/smserver/downloads/2003/default.asp.

Distribute Software Updates Wizard

The Distribute Software Updates Wizard compares available updates with the inventory of client computers to determine missing and previously-installed updates. Only the necessary updates are installed, whereas redundant or unnecessary updates are ignored or postponed, thus reducing system overhead.

The Distribute Software Updates Wizard provides the following capabilities:

  • Addition to the inventory of the software update status of all clients, based on new security update information.

  • Review and authorization of updates identified as missing.

  • Tailoring of packages and advertisements to each update or set of updates.

  • Distribution of update advertisements to computers using SMS software distribution capabilities.

  • Windows Update style notifications and a rich end-user experience.

  • Use of timers to allow users to save and close applications, and optionally to enable users to postpone updates or to choose not to restart their system.

More information on SMS 2003 can be found at https://www.microsoft.com/smserver.

Summary information on the use of SMS 2003 to support update management is given in the following modules:

For detailed information on using SMS 2003 to support update management, see Technical Library for Systems Management Server 2003.

Tools and Technologies Comparison

Table 10 compares the capabilities provided by SMS 2003 and WSUS.

Table 10: Update Management Capabilities

Capability

WSUS

SMS 2003

Supported Platforms for Content

Windows 2000, Windows Server 2003, Windows XP

Windows NT 4.0, Windows 2000, Windows Server 2003, Windows XP, Windows 98

Supported Content Types

Windows 2000+, Exchange 2000+, SQL Server 2000+, Office XP+ with expanding support

All security patches, Service Packs, and updates for the above platforms. Also supports security patch, update, and application installations for Microsoft and other applications.

Targeting Content to Systems

Yes, for Microsoft content

Yes

Network Bandwidth Optimization

Yes, for update deployment

Yes, for update deployment and server synchronization

Patch Distribution Control

Simple

Advanced

Patch Installation and Scheduling Flexibility

Controlled by administrator (automatic) or user (manual)

Administrator-controlled with granular scheduling capabilities

Patch Installation Status Reporting

Yes, for Microsoft content

Comprehensive: Installation status, result, and compliance details

Deployment Planning

Not Applicable

Yes

Inventory Management

Not Applicable

Yes

Compliance Checking

Yes

Yes

Effective Project Management Processes

In order to get the best results, you should treat your use of the update management process outlined in this module as a project, using an effective project management process.

Many organizations have their own methodologies, all of which should be compatible with the guidance provided in this module. Microsoft recommends using Microsoft Solutions Framework (MSF) for project management guidance. For more information about MSF, see https://www.microsoft.com/technet/solutionaccelerators/msf/default.mspx.

The Four-Phase Approach to Update Management

The update management process that Microsoft recommends is a four-phase approach to managing software updates, which is designed to give your organization control over the deployment and maintenance of interim software releases into your production environment.

The four phases are:

Assess

The process starts with an assessment of what you have in your production environment, what security threats and vulnerabilities you might face, and whether your organization is prepared to respond to new software updates.

For more detailed information on the Assess phase, see the module, "Update Management Phase 1 - Assess."

Identify

Your goal during the Identify phase is to discover new software updates in a reliable way, determine whether they are relevant to your production environment, and determine whether an update represents a normal or emergency change.

For more detailed information on the Identify phase, see the module, "Update Management Phase 2 - Identify."

Evaluate and Plan

Your goal during the Evaluate and Plan phase is to make a go/no-go decision to deploy the software update, determine what is needed to deploy it, and test the software update in a production-like environment to confirm that it does not compromise business critical systems and applications.

For more detailed information on the Evaluate and Plan phase, see the module, "Update Management Phase 3 - Evaluate and Plan."

Deploy

Your goal during the Deploy phase is to successfully roll out the approved software update into your production environment so that you meet all of the requirements of any deployment service level agreements (SLAs) you have in place.

For more detailed information on the Deploy phase, see the module, "Update Management Phase 4 - Deploy."

Figure 1 illustrates the process and its four phases.

imageFile

Figure 1. The Microsoft-recommended four-phase update management process

See full-sized image

This four-phase process is based on the MOF Change Management, Release Management, and Configuration Management service management functions (SMFs), which can be found at https://www.microsoft.com/technet/itsolutions/cits/mo/default.mspx.

Read other security solutions from the Microsoft Solutions for Security and Compliance (MSSC) team.

Give Us Your Feedback

The Microsoft Solutions for Security and Compliance (MSSC) team would appreciate your thoughts about this and other security solutions.

Have an opinion? Let us know on the Security Solutions Blog for the IT Professional.

Or e-mail your feedback to the following address: SecWish@microsoft.com. We respond often to feedback that is sent to this mailbox.

We look forward to hearing from you.